Subprocessor List
Last Updated: May 17, 2026
MonitorExam uses trusted third-party providers ("Subprocessors") to deliver services. All subprocessors are carefully vetted and contractually obligated to protect customer data.
Current Subprocessors
Amazon Web Services (AWS)
Purpose
Cloud hosting and infrastructure
Data Types Accessed
Application data, exam recordings, user data
Geographic Region
Global (configurable)
Cloudflare
Purpose
CDN and security services
Data Types Accessed
Network metadata, traffic logs
Geographic Region
Global
SendGrid / Postmark
Purpose
Email delivery services
Data Types Accessed
Email addresses, notification content
Geographic Region
North America, Europe
Stripe
Purpose
Billing and payment processing
Data Types Accessed
Billing information, transaction records
Geographic Region
Global
Google Analytics
Purpose
Website analytics and usage metrics
Data Types Accessed
Aggregated usage data, session metadata
Geographic Region
Global
AI Service Providers
Purpose
AI-assisted monitoring and detection
Data Types Accessed
Limited exam session data for model processing
Geographic Region
Global
Subprocessor Evaluation Criteria
MonitorExam evaluates all subprocessors based on:
- Security Posture: Compliance with OWASP guidelines, encryption practices, access controls
- Reliability: Uptime guarantees, disaster recovery, business continuity
- Privacy Practices: Data minimization, privacy policies, compliance certifications
- Contractual Protections: Data Processing Agreements, liability clauses, audit rights
- Incident Response: Breach notification procedures, incident management capabilities
- Regulatory Compliance: GDPR, HIPAA, SOC 2, ISO 27001 alignment
Subprocessor Management
MonitorExam takes the following steps to manage subprocessors:
Due Diligence
Initial security and compliance assessments before engaging any subprocessor.
Contractual Protections
All subprocessors are contractually bound to protect customer data with terms at least as strict as MonitorExam's commitments.
Regular Reviews
Periodic security assessments and compliance reviews of all subprocessors.
Incident Reporting
Subprocessors are required to report security incidents affecting customer data within 24 hours.
Audit Rights
MonitorExam maintains audit rights over subprocessor security practices and controls.
Updates & Notifications
The subprocessor list may be updated periodically as services evolve or new vendors are engaged. We will:
- Publish updates to this page
- Notify customers of material changes to our subprocessor list
- Provide customers with an opportunity to review changes
- Obtain customer approval for subprocessors processing sensitive data
Change Notification: Customers will be notified at least 30 days prior to adding or removing subprocessors.
International Data Transfers
Some subprocessors process data internationally. MonitorExam implements Standard Contractual Clauses (SCCs) and other safeguards to ensure legally compliant transfers.
Questions About Subprocessors?
For specific questions about subprocessors, their data access, or security practices, please contact our privacy team.